Almost 75 million websites work on the WordPress content management system (CMS), yet they suffer more Cross Site Scripting (XSS) incidents than any other CMS.
Research by Imperva found that WordPress websites were attacked 24.1 per cent more than websites running on all other CMS platforms combined. “We believe that popularity and a hacker’s focus go hand-in-hand,” Imperva said in its report.
“When an application or a platform becomes popular, hackers realise that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet.”
WordPress websites suffer 60 per cent more XSS incidents than all other CMS platforms, and the research found that while WordPress is more likely to suffer fewer numbers of incidents for each attack type, it also suffers a higher traffic volume for each attack type.
Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “For upwards of a decade, the major CMS platforms such as Joomla and WordPress have been deeply researched by both black and white hat hackers (some well-known CMS even changed names during their development).
“In the early days, SQL injections and code execution flaws were commonplace. In fact, around 90 per cent of websites were vulnerable to critical-risk attacks permitting to take control over the website remotely within a dozen of minutes. Nothing in common with medium-risk XSS vulnerabilities that are very common these days. One should not forget that in the past, web applications have never hosted so many critical data and personal information. Today it would be fair to say that the vast majority of data breaches are directly or indirectly related to vulnerable web applications and compromised websites.”
“In the early days, SQL injections and code execution flaws were commonplace. In fact, around 90 per cent of websites were vulnerable to critical-risk attacks permitting to take control over the website remotely within a dozen of minutes. Nothing in common with medium-risk XSS vulnerabilities that are very common these days. One should not forget that in the past, web applications have never hosted so many critical data and personal information. Today it would be fair to say that the vast majority of data breaches are directly or indirectly related to vulnerable web applications and compromised websites.”
Barry Shteiman, director of security strategy at Imperva, said: “Wordpress isn’t a bad platform, it is just a victim to its own popularity and the fact that it also allows custom plugins and code which may expose to more vulnerabilities than they can control themselves.”
The research also found that 48.1 per cent of all attack campaigns target retail applications, while websites that have log-in functionality, and hence contain consumer specific information, suffer 59 per cent of all attacks, and 63 per cent of all SQL Injection attacks
Amichai Shulman, chief technology officer at Imperva, said: “Looking at other sources of attacks, we were also interested to find that infrastructure-as-a-service (IaaS) providers are on the rise as attacker infrastructure.
“For example, 20 per cent of all known vulnerability exploitation attempts have originated from Amaz
on Web Services. They aren’t alone; with this phenomenon on the rise, other IaaS providers have to worry about their servers being compromised. Attackers don’t discriminate when it comes to where a data centre lives.”